To prevent cyberattacks, agency similar to National Transportation Safety Board suggested

February 13, 2018

BLOOMINGTON, Ind. -- After arguably the worst year ever for cyberattacks and data breaches, Indiana University research suggests it may be time to create an independent cybersecurity agency board comparable in approach to the National Transportation Safety Board that investigates airplane crashes and train derailments.

"In the wake of a series of destabilizing and damaging cyberattacks ranging from Equifax to Yahoo, there has been a growing call for the U.S. government to establish an analogue of the National Transportation Safety Board to investigate cyberattacks," the researchers write in the Albany Law Journal of Science and Technology.

The safety board model "separates fact-finding proceedings from any questions of liability, allowing attribution to be established, for example, without parties initiating litigation."

The paper's authors are Scott Shackelford, associate professor of business law and ethics in the IU Kelley School of Business, chair of the Cybersecurity Program and director of the Ostrom Workshop Program on Cybersecurity and Internet Governance at IU Bloomington; and Austin Brady, a degree candidate in the IU Maurer School of Law and IU's Master of Science in Cybersecurity Risk Management.

This approach has been floated in recommendations to the Trump administration by the Center for Strategic and International Studies. But until now, the idea has never received in-depth academic treatment. In their paper, Shackelford and Brady review what led to the passage of the NTSB and evaluate proposals to establish a "National Cybersecurity Safety Board."

"Propositions for strengthening U.S. cybersecurity range widely, from federally sponsored cyber risk insurance programs -- akin to flood insurance -- to allowing companies to have a freer hand to engage in proactive cybersecurity measures," they wrote.

"A common refrain across many of these proposals ... (is a call for) more robust data breach investigations, which could include on-site gathering of data on why the attack occurred so as to help other companies prevent similar attacks. This evokes one of the core functions of the NTSB, that is, to investigate and establish the facts behind an incident, and to make recommendations to help ensure that similar events do not occur in the future."

Enhancing cybersecurity in the emerging Internet of Everything is technologically complex and legally challenging, especially when organizational cultures can be so different. Microsoft has estimated that the number of Internet-enabled devices could increase from 11 billion to 50 billion between 2013 and 2020. Another estimate from Morgan Stanley places the number at 75 billion by 2020.

Shackelford and Brady think a cybersecurity safety board could be a public-private partnership, potentially run by coalitions of companies.

"Funding could come from interested stakeholders, such as insurance companies," they said, "because such secondary markets would benefit from greater clarity surrounding the attribution of claims, as well as more information about the utility of various cybersecurity best practices."

They also acknowledge the limitations and criticisms of a safety board model. Some critics say firms may use it for settling litigation and reputation management than for preventing future attacks. Another concern is that any cyber safety board's conclusions could be out of date by the time they are released, due to the dynamic cyberthreat environment and rapidly changing technologies.

"Such a model would be an improvement on the existing reliance on Cyber Emergency Response Teams and aid in effective policymaking at both the state and federal level, given the lack of hard, verifiable data on the scope of cyberattacks," the authors said.

"The creation of a National Cybersecurity Safety Board could also help law enforcement investigations, particularly local and state agencies without the resources and expertise of the FBI," they added. "This would be a boon to academics needing reliable data to undertake scholarly analysis as well as national security organizations and U.S. strategic partners around the world."

Indiana University

Related Cybersecurity Articles from Brightsurf:

Computer scientists' new tool fools hackers into sharing keys for better cybersecurity
Instead of blocking hackers, a new cybersecurity defense approach developed by University of Texas at Dallas computer scientists actually welcomes them.

Cultural differences account for global gap in online regulation -- study
Differences in cultural values have led some countries to tackle the specter of cyber-attacks with increased internet regulation, whilst others have taken a 'hands-off' approach to online security -- a new study shows.

Study finds companies may be wise to share cybersecurity efforts
Research finds that when one company experiences a cybersecurity breach, other companies in the same field also become less attractive to investors.

$4.6 million award creates program to train cybersecurity professionals
A five-year, $4.63 million award from the National Science Foundation will enable a multi-disciplinary team of researchers at the University of Arkansas to create a program to recruit, educate and train the next generation of cybersecurity professionals.

First cyber agility framework to train officials developed to out-maneuver cyber attacks
To help train government and industry organizations on how to prevent cyberattacks, as part of a research project for the US Army, scientists at The University of Texas at San Antonio, developed the first framework to score the agility of cyber attackers and defenders.

Cyber of the fittest: Researchers develop first cyber agility framework to measure attacks
The framework proposed by the researchers will help government and industry organizations visualize how well they out-maneuver attacks over time.

Army researchers identify new way to improve cybersecurity
Researchers at the US Army Combat Capabilities Development Command's Army Research Laboratory, the Army's corporate research laboratory also known as ARL, and Towson University may have identified a new way to improve network security.

How susceptible are hospital employees to phishing attacks?
A multicenter study finds high click rate for simulated phishing emails, potential benefit in phishing awareness training.

A Georgia State cybersecurity study of the dark web exposes vulnerability to machine identities
A thriving marketplace for SSL and TLS certificates -- small data files used to facilitate confidential communication between organizations' servers and their clients' computers -- exists on a hidden part of the Internet, according to new research by Georgia State University's Evidence-Based Cybersecurity Research Group (EBCS) and the University of Surrey.

Army scientists revolutionize cybersecurity through quantum research
Army scientists have found a novel way to safeguard quantum information during transmission.

Read More: Cybersecurity News and Cybersecurity Current Events is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to